Law Firm Email Security Questions the ABA Should be Asking

Responding to the New York Times report that a foreign spy agency intercepted email messages between a large U.S. law firm to its client and then shared the information with the U.S. National Security Agency, the American Bar Association on February 20, 2014 sent a letter to the director and general counsel of the NSA. The ABA’s letter asks the NSA to explain how the agency deals with attorney-client privileged communications. The ABA also urges the NSA to not actively seek confidential communications between U.S. law firms and their clients, to respect attorney client privilege, and to take steps to ensure that any intercepted attorney-client communications are not further disseminated.

The Issue is Confidentiality, Not Merely Privilege

The ethics issues raised by this situation are not limited to whether attorney-client privilege was lost or preserved. Privilege is a rule of evidence. Privilege can be preserved even when information is wrongfully accessed.

Disclosure of client email messages may be a breach of the separate ethical duty for a lawyer to maintain the confidentiality of information related to the representation of the client. Once confidentiality is breached, it can’t readily be cured.

Email Security Concerns Go Beyond One Law Firm and One Client

The document cited by the NYT article only mentions communications between one U.S. law firm and one of its international clients. The scope of the governmental surveillance revealed by Edward Snowden, however, strongly suggests that emails from other law firms to other clients likely were swept up too. And spy agencies are not the only sources of unauthorized access of email messages. In this case, both parties involved in the interception happen to be governmental agencies. But if the “good guys” are intercepting and sharing emails, it’s likely the bad guys are doing it too. There seems to be plenty of blame to go around.

The ABA is Asking the Wrong Questions of the Wrong Party

The ABA directs its inquiries to a party that is accused of having received communications that were intercepted by another party. It is not apparent, however, whether the law firm whose email was leaked has been subjected to any questioning by the ABA or state bar associations – notwithstanding that the law firm owes ethical duties to the client (or clients) whose communications were involved.

The Right Questions to Ask

Below are questions that the ABA and state bar associations should be asking the law firm involved in this incident. They are questions that all lawyers should be asking themselves about their use of email that involves information related to the representation of a client.

Do Your Lawyers Know That Email Interception Routinely Occurs?

The NYT article cited a document from February 2013 that revealed that the Australian spy agency was intercepting communications between the Indonesian government and its U.S. law firm. So it’s not entirely clear that, at the time of the interceptions noted in the February report, that law firm knew or should have know that a third party was actually intercepting email communications between U.S. and international correspondents. According to the NYT report, however, the Mayer Brown lawyer handling the matter was aware of the risk that the firm was leaking client confidences in email:

“I always wonder if someone is listening, because you would have to be an idiot not to wonder in this day and age,” he said in an interview. “But I’ve never really thought I was being spied on.”

So, even in February 2013, the law firm apparently was aware of the risk of email interception.

Even though email interception and unauthorized access has happened regularly for years, the general awareness of email interception broadened with the widely-publicized Snowden revelations. The fact that NSA and other spy agencies have been intercepting email communications – particularly those involving a party outside the U.S. – has been well disseminated in news media since the disclosure made by Edward Snowden in June 2013. Since those reports, all lawyers should be aware that governmental and non-governmental interceptions might capture any ongoing email communications with clients – particularly clients outside the U.S. Email interception is still going on. And although there are slightly more constraints on the NSA, those don’t apply to other parties who are intercepting email.

Are Your Lawyers Aware of Their Ethics Duties to Protect Email?

Every state bar association has adopted some version of ABA Model Rule 1.6 – Confidentiality of Information. Those versions typically impose on lawyers a duty to avoid unauthorized disclosure of information related to the representation of a client. That includes disclosures via interception of, or unauthorized access to, email communications.

In August 2012, the American Bar Association adopted changes to Model Rule 1.6 of the ABA Model Rules of Professional Conduct by adding the following sentence:

“A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”

That entails more than passive avoidance of disclosure by the attorney. It requires proactive steps to protect information. It requires the lawyer to use reasonable data security measures.

Do Your Lawyers Know that Unencrypted Email is NOT Always Permitted?

It’s true that lawyers may use unencrypted email – but not in every situation. In Formal Opinion 99-413 (Protecting the Confidentiality of Unencrypted Email), the ABA concluded that, in general, a lawyer may transmit information relating to the representation of a client by unencrypted email. ABA Formal Opinion 99-413 also said that particularly strong protective measures are warranted to protect highly sensitive information and that the lawyer should consult with the client and follow the client’s instructions about the mode of transmitting highly sensitive information. Similarly, the consensus among state bar associations is that lawyers may communicate with clients using unencrypted email – but that approval is conditioned by words such as “under ordinary circumstances,” “in most instances” and “generally.”

Lawyers also need to consider that the world has changed since those opinions were issued almost two decades ago – before webmail and smartphones – so our security and privacy expectations have evolved, even though the 1986 Electronic Communications Privacy Act has not.

In some situations, the use of email encryption is mandatory. For example, lawyers cannot use unencrypted email to transmit protected personal information of a Massachusetts resident.Massachusetts has one of the most rigorous state privacy laws in the United States.201 CMR 17.00mandates a broad set of requirements for the protection of personal information of the state’s residents.Subsection 17.04(3) requires “[e]ncryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.” Also, lawyers need to comply with HIPAA and other privacy and security rules that effectively require encryption of transmitted personal data.

Are Your Lawyers Using Reasonable Measures to Secure Email?

In comments to Model Rule 1.6(c), the ABA provides a non-exclusive list of factors to be considered in determining the reasonableness of the lawyer’s data security efforts to protect electronic communications. They require the lawyer to consider:

the sensitivity of the information,

the likelihood of disclosure if additional safeguards are not employed,

the cost of employing additional safeguards,

the difficulty of implementing the safeguards, and

the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

In a similar vein, some state bar associations expect lawyers to take special care when transmitting and storing data in the Cloud. For example, On May 17, 2012, the Committee on Professional Ethics of the Massachusetts Bar Association addressed in Opinion 12-03 whether lawyers in that state are, consistent with ethics rules, entitled to store and synchronize electronic work files containing confidential client information using an Internet-based storage solution. Opinion 12-03 concludes that Massachusetts lawyers are permitted to use Cloud document storage and transmission solutions on the condition that they undertake reasonable efforts to ensure that the solution provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations. Opinion 12-03 says that “reasonable efforts” with respect to a Cloud document storage and transmission provider would include:

examining terms of use and written policies and procedures about data privacy and the handling of confidential information;

ensuring terms of use and written policies and procedures prohibit unauthorized access to data;

ensuring terms of use and written policies and procedures, as well as its functional capabilities, give reasonable access to, and control over, the data stored on the provider’s system;

exmining practices and service history to reasonably ensure that data stored actually will remain confidential; and

periodically revisiting and reexamining those policies, practices and procedures.

The opinion does not say this is an exclusive list of steps that a lawyer must take to meet a reasonable efforts standard. It merely says that reasonable efforts “would include” those items. There may, therefore, be additional steps that are reasonable for an attorney to take to protect client confidential information.

The Massachusetts opinion fails to mention that email is inherently a Cloud service. Email actually raises more security concerns than other Cloud services. Once email leaves the sender’s network, the sender cannot know or control the locations of the multiple servers through which the data might be routed, whether and for how long the data is stored on those servers, how the data is secured by the various service providers, the ability of third parties to access the data, or the terms and conditions of all of the relevant email service participants.

Is Email Encryption Part of Your Law Firm’s Cybersecurity Procedures?

Many lawyers say the new NIST Cybersecurity Framework should serve as a general guide for information security oversight and risk assessments, regardless of the industry. The NIST Cybersecurity Framework includes an assessment of whether “Data-in-transit is protected.” As discussed below, the standard for protection of email is the use of encryption.

Below are some procedural steps typically implemented by businesses that handle sensitive information. Does your law firm have them?

The FTC directs businesses to “encrypt sensitive information that you send to third parties over public networks (like the Internet)” and to “consider also encrypting email transmissions within your business if they contain personally identifying information.” The FTC guidance strongly suggests that lawyers may not be acting reasonably when they send confidential client information via unencrypted email.

There’s even more specific legal industry guidance. In the 2011 ALAS Loss Prevention Journal, an article titled Data and Privacy Protection in a Regulated Worldrecommended that law firms “encrypt all protected information sent from or stored on any electronic device.” The International Legal Technical Standards Organization proposed in its 2011 Guidelines for Legal Professionals that “whenever client data is transmitted across the Internet, it must be encrypted at every point.” The State Bar of California, in Formal Opinion 2010-179, said that “encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”

Every time a lawyer hits “Send” on an unencrypted email, there is a risk of unauthorized interception of or access to that message. The ABA’s Formal Opinion 11-459 says that a lawyer has an obligation to warn the client about the risk of using electronic communications (including email) whenever circumstances present a “significant risk” that a third party may gain access to the content of unencrypted electronic communications. That risk assessment probably changed in June 2013, when Snowden’s revelations about widespread email snooping became known, but there are lots of circumstances besides NSA surveillance that can present a “significant risk” of disclosure of unsecured email.

Did Your Client Consent to the Lawyer’s Use of Unencrypted Email?

The confidentiality provision in state bar ethics rules typically says that lawyers should not reveal confidential information relating to the representation of a client unless the client “consents after consultation.” The rules define “consultation” to mean the communication of information reasonably sufficient to permit the client to appreciate the significance of the matter in question. In other words, the rules require the client’s informed consent before confidential information can be revealed – and regardless of the sensitivity of the information.

Sticking a boilerplate Confidentiality Notice at the bottom of every email your firm sends likely does not suffice as a warning to your clients about email security risks. Nor does it suffice to gain consent from your clients for your use of unsecured email.

Before continuing to use unencrypted, unsecured email, lawyers should consider describing in client engagement letters:

the lawyer’s duty of confidentiality;

that there are risks of inadvertent disclosure, interception or unauthorized access of email and other electronic information by third parties (some clients or matters may present a heightened risk);

how the lawyer intends to use email or other Cloud services to transmit and store information related to the representation of the client;

a summary of relevant data security practices (e.g., reference to written procedures); and

that signing the engagement letter constitutes the client’s consent for the lawyer to use unencrypted email and the described cloud services.

FYI: Playing it Safe With Encryption

That’s that title of the ABA Legal Technology Resource Center’s page that advocates the use of encryption. The ABA’s own web site points out that confidentiality and privilege is at risk during the routine transmission of an electronic communication. According to the ABA: Email encryption reduces this risk.

So, when issues arise about confidentiality of lawyer email shouldn’t the ABA’s first question be “Why wasn’t your email encrypted?”